wlcore: Fix buffer overrun by snprintf due to incorrect buffer size
The size of the buffer than can be written to is currently incorrect, it is
always the size of the entire buffer even though the snprintf is writing
as position pos into the buffer. Fix this by setting the buffer size to be
the number of bytes left in the buffer, namely sizeof(buf) - pos.
Addresses-Coverity: ("Out-of-bounds access")
Fixes: 7b0e2c4f6b
("wlcore: fix overlapping snprintf arguments in debugfs")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210419141405.180582-1-colin.king@canonical.com
This commit is contained in:
parent
bb43e5718d
commit
a9a4c080de
|
@ -84,7 +84,7 @@ static ssize_t sub## _ ##name## _read(struct file *file, \
|
|||
wl1271_debugfs_update_stats(wl); \
|
||||
\
|
||||
for (i = 0; i < len && pos < sizeof(buf); i++) \
|
||||
pos += snprintf(buf + pos, sizeof(buf), \
|
||||
pos += snprintf(buf + pos, sizeof(buf) - pos, \
|
||||
"[%d] = %d\n", i, stats->sub.name[i]); \
|
||||
\
|
||||
return wl1271_format_buffer(userbuf, count, ppos, "%s", buf); \
|
||||
|
|
Loading…
Reference in New Issue